May 13, 2017

The equipment aboard an EP-3E electronic surveillance plane

Since the start of the Snowden-revelations in 2013, many people got the impression that the US National Security Agency (NSA) mainly intercepts the communications of ordinary citizens. In reality, the NSA is part of the Department of Defense and as such, a large part of its job is to collect data for tactical military purposes.

The report was among the Snowden-documents and published by The Intercept on April 10. As will be shown here, it provides many details about both the interception and the encryption equipment aboard the EP-3E aircraft.

A Lockheed EP-3E electronic surveillance aircraft from the US Navy(photo: US Navy - click to enlarge)

Damage assessment

The purpose of the report was to review and assess the damage to cryptologic sources and methods and the response of the US SIGINT agencies to the crisis. The second was to review and assess emergency destruction of classified material and the emergency procedures.

In general, damage to Communications Security (COMSEC) systems, like cryptographic devices,
keying material and encryption methodology, was considered low, mainly because cryptographic devices are designed in anticipation of being lost or compromised.

For Signals Intelligence (SIGINT), the equipment to intercept communications and other signals as well as the results of these efforts, there was an opposite approach: the assumption had been that sensitive SIGINT material would be protected at all time, or destroyed before it was lost or compromised.

Because emergency destruction techniques didn't kept pace with technology, especially where they often no longer reside in hardware, but in software. The Hainan incident revealed that existing destruction procedures were outdated and inadequate. Also, individual and crew training appeared to be deficient and lacked realism and context.

Nevertheless, damage in the realm of tactical SIGINT was assessed to be medium, which means that the damage was recoverable with concerted effort.

The damaged EP-3E after it had landed on the Hainan island(click to enlarge)

The EP-3E aircraft

The EP-3E aircraft is a modified version of the Lockheed P-3 Orion, which is a four-engine turboprop aircraft developed for the US Navy and introduced in the 1960s. The Platform Integration division of the military contractor L-3 converted several P-3Cs into the EP-3E, which is also known as ARIES (Airborne Reconnaissance Integrated Electronic System). The Navy has 11 EP-3Es, the last of which was delivered in 1997.

The plane generally has a crew of 24, including linguists, cryptographers and technicians. The EP-3E that flew over the South China Sea carried an 18-member reconnaissance team from the Navy, Marines, and Air Force, in addition to a 6-member flight crew. The position of their workstations can be seen in this schematic from the damage assessment report:

(click to enlarge)

Other tactical SIGINT spy planes are the Boeing RC-135 COBRA BALL, COMBAT SENT or RIVET JOINT of the US Air Force, the De Havilland RC-7 Airborne Reconnaissance Low (ARL) of the US Army and the Beechcraft (R)C-12 Huron, which is used by the Army, the Navy, the Air Force and the Marine Corps.

Together with other flying spying platforms like drones and satellites, these planes contribute to what is called Overhead Collection. The NSA's other primary information channels are cable access, hacking operations, joint NSA-CIA units and foreign partnerships.

COMINT equipment

COMINT stands for Communications Intelligence, which is information derived from the interception of foreign communications, either between people or between machines. Together, COMINT and ELINT (see below) are called SIGINT.

The COMINT collection system onboard the EP-3E consisted of
antiquated HF, VHF, and UHF receivers, a rudimentary signal distribution network, and
narrowband cassette recorders. The COMINT collection system used the ALD-9 antenna
and processor package. In addition to installed equipment, six carry-on computers were onboard.

The COMINT equipment was generally unclassified with the exception of two carry-on computers, a SCARAB computer containing the LUNCHBOX PROFORMA processor and a laptop containing MARTES analysis tools. All data on these two systems was considered compromised.

Although other planes in the military’s spy fleet had recently undergone a major surveillance equipment upgrade, the plane that ended up in Chinese hands was two weeks away from getting one, so the equipment was old and outdated and a lot of it didn’t work properly.

SCARAB computer

The SCARAB is a portable computer device that contained the LUNCHBOX processor, which uses software to process 40 worldwide PROFORMA signals, some teleprinter and pager signals, datalink signals for the HUNTER and PREDATOR drones, and the Joint Air to Surface Stand Off Missile (JASSM) datalink. Additionally, the SCARAB computer contained the XBIT Signals Analysis software for bit manipulation and BLACKMAGIC demodulation software.

PROFORMA is the codename for digital command and control data communications
that relay information and instructions to and from radar systems, weapon systems (like surface-to-air missiles, anti-aircraft artillery, fighter aircraft), and control centers.

Exploitation of this information provides US and allied warfighters nearly instantaneous
situational awareness data from a target country's radar systems. This information
supplements US sensor systems while providing insight into the target country’s
decision process.

Several working aides aboard the EP-3E provided details about Russian-designed PROFORMA signals used by North Korea, Russia, Vietnam, and possibly China. This material detailed the association of signals to specific weapon systems. China was known to use two of the signals resident in the LUNCHBOX processor.

For the 2001 mission over the South China Sea, the Science and Technology (S&T) Operator aboard the EP-3E was tasked to collect and process PROFORMA signals possibly associated with Chinese SA-10 surface-to-air missiles and Chinese short-range air navigation.

MARTES laptop

Besides the SCARAB computer, there was also a Tadpole Ultrabook IIi laptop, which contained the MARTES software tools, the RASIN Manual, the RASIN Manual Working Aid and the Telegraphic Codes Manual.

RASIN stands for Radio Signals Notation and is the COMINT Signal Classification System for classifying and reporting a wide variety of signals with their associated parametrics and
characteristics. Together, the RASIN manual and the aforementioned files provided a comprehensive overview of how US intelligence exploits an adversary’s signal environment.

MARTES is the name of a set of software tools for collecting, analyzing, and
processing signals. A new version of MARTES is
released approximately every six months, and it is generally divided into COMINT,
FISINT and ELINT tools.

A portable, digital player/recorder used to collect the signals analyzed by
MARTES contained a tape of 45 minutes of enciphered and unenciphered Chinese Navy
communications. The unenciphered portions carried speech segments that identified
Chinese communicants.

The compromise of the largely tactical COMINT documentation was rated
medium. The most sensitive and damaging documentation contained detailed collection requirements against Chinese military datalink and microwave signals. The tasking data included frequencies, data rates, dish sizes, and target communicants.

Also compromised was the ability of the US to collect Chinese submarine signal transmissions and make subsequent vessel correlations. This compromise could prompt the Chinese to modify that particular signal.

ELINT equipment

ELINT stands for Electronic Intelligence and comprises the technical and intelligence information obtained from the intercept and analysis of noncommunication, electromagnetic radiations.

The ELINT systems onboard the EP-3E included a disparate collection of
antennas, signal distribution networks, wideband and narrowband receivers, recorders,
and processing and display equipment. The bulk of these systems were off-the-shelf
devices that, although designed for the ELINT mission, contained no particularly sensitive
technologies.

The system that were of a specific concern after the Hainan incident included the AN/ULQ-16
and the AN/ALQ-108. The AN/ULQ-16 is a computerized pulse processor used to make
detailed timing measurements of radar signals. The AN/ALQ-108 is an enemy IFF (Identify Friend or Foe) interrogation system, which is used to actively and passively exploit early Soviet IFF and range extension signals.

Emergency destruction of the ELINT equipment during the Hainan incident was
largely ineffective. The crew zeroized (deleted) all memories and erased all mission data, but the
rugged construction of critical components and lack of destruction tools prevented
adequate destruction.

Communications equipment

For internal communications, the EP-3E uses the the Digital Communications
Management System (DCMS). All operational crew positions have access to the DCMS
with headsets or through their helmets, with the exception of personnel in the galley and observers in the flight station. Communication paths between crew members are divided into various audio
networks.

For communications with the outside world, there are numerous radios onboard, which connect to a variety of radio networks. Short-range communications are conducted using both
plain voice and secure VHF and UHF radios. When the aircraft is on a mission for Sensitive Reconnaissance Operations (SRO), long-range communications with NSA and military operation centers are conducted via HF radio and over secure UHF satellite networks.

Radio/satellite transceivers

The EP-3E was equipped with the following radio transmitter/receivers (transceivers):

- Two AN/ARC-94 HF radios for long-range communication. One (HF-1) is configured for secure modem communications and is encrypted using a KG-84C encryption device. The other (HF-2) is configured for voice communications and can be encrypted using a KYV-5 encryption device.

- Three AN/ARC-206 radios for UHF line-of-sight communications. UHF-1 and UHF-2 are controlled by the Senior Evaluator (SEVAL) and are configured for voice communications. Both can be encrypted using KY-58 encryption devices. A third AN/ARC-206 radio is configured for line-of-sight datalink operations.

- Two AN/ARC-182 radios for VHF or UHF line-of-sight communications. Both are controlled from the flight station and are configured for voice communications. Both can be encrypted using KY-58 encryption devices. The control units for these radios have a switch setting allowing an easy and immediate change to emergency frequencies.

- One LST-5 satellite radio for secure UHF voice satellite communications. The radio can only be controlled locally at its location is in an avionics bay inside the aircraft cabin. It is encrypted using a KY-58 encryption device.

- The OL-390 Digital Communications Group and its associated UHF radio are used for secure satellite modem communications. The radio is controlled by the secure communications operator and is encrypted using a KG-84A encryption device. Because this radio shares distribution and antenna equipment with the LST-5, simultaneous transmission using both radios is not possible.

Encryption devices

For securing voice and data communications, the EP-3E had 16 encryption devices onboard, of the following types:

- The KY-58, which is used for voice and data encryption at 16 Kb/sec over AM/FM, VHF and UHF radio and satellite channels. The device can be used for data up to the classification level TOP SECRET. It accepts keys from the family of Common Fill Devices and also incorporates remote keying. The production of the KY-58, which is part of the VINSON family, was completed in 1993.

A KY-58 encryption device(photo via jproc.ca - click to enlarge)

- The KG-84, which is used for data encryption at 64 Kb/sec over radio and satellite channels. The KG-84 can be used for communications up to the level of TOP SECRET, depending on the key-set that is loaded, and is fully complient with NSA TEMPEST standards. Like similar encryption devices, the KG-84 can be controlled either locally, or remotely (for example from the cockpit) through a Remote Control Unit (RCU).

- The KYV-5, which is used for voice or data encryption over HF, VHF and UHF radio and satellite channels. The KYV-5 is a relatively small communications security module which is attached to a larger CV-3591 converter, together forming a TACTERM unit. The device is part of the Advanced Narrowband Digital Voice Terminal (ANDVT) family.

The damage assessment report isn't clear about whether the Chinese removed these encryption devices from the plane before giving it back to the US. The particular equipment had previously been compromised, though not directly to China, and the report also mentions that components of for example the KG-84 had also been available through sites like eBay.

Cryptographic materials

Beside the KY-58, KG-84 and KYV-5 encryption devices, the EP-3E also carries KYK-13 and KOI-18 electronic fill devices, a KL-43 off-line encryption device, and a Global Positioning System (GPS) unit.

The EP-3E that landed on the Hainan island also carried keying and other cryptographic materials for its various secure
devices, including Top Secret keying material in canisters, entire codebooks, and call sign lists. In all, this was much more than what was needed for the mission: nearly a month's worth of keying material and codebook pages that were not scheduled to become effective until well after the scheduled landing.

Instead, the use of an electronic key loading device such as the CYZ-10 Data Transfer
Device (DTD) could have eliminated the risk of hardcopy keying material compromise. These
devices can hold multiple keys, load multiple devices, and are easily zeroized.

During the Hainan incident, most cryptographic keys and codebooks had been jettisoned by the plane's crew, but the remaining material was considered compromised. However, all the encryption keys (except for the worldwide GPS key) were replaced by new ones within 15 hours of the EP-3E's emergency landing.

The radio equipment onboard the EP-3E conntected to the following networks:

- The Global High Frequency System (GHFS), which is a worldwide network of highpower
HF stations that provides air/ground HF command and control radio
communications between ground agencies and US military aircraft. The GHFS network
supports Sensitive Reconnaissance Operations aircraft by passing encoded advisory conditions (NICKELBACK), position reports and administrative traffic. As of October 1, 2002, the network was renamed into High Frequency Global Communications System (HFGCS).

- The Pacific Tributary Network (PTN), which is a UHF secure voice satellite network
that provides COMINT advisory support and threat warning to deployed US and allied forces. Network participants include the Pacific Reconnaissance Operations Center
(PACROC), which provides coordination and flight following to SRO aircraft, the NSA's Kunia Regional SIGINT Operations Center (KRSOC) on Hawaii and the National Security Operations Center (NSOC) at Fort Meade.

- The SIERRA ONE Early Warning network, which is a UHF secure voice satellite
network utilized by 5th and 7th Fleet Orion P-3's and EP-3E's for tactical reporting and
coordination. Network participants include all PACOM Tactical Support Centers (TSC) and
CTF 57/72, Kami Seya, Japan.

1 comment:

Electronic Equipment is used to create signals and capture responses from electronic devices under test (DUTs). In this way, the proper operation of the DUT can be proven or faults in the device can be traced.

US Red Phones

Sequence of the real Red Phones, not for the Washington-Moscow Hotline, but for the US Defense Red Switch Network (DRSN). The phones shown here were in use from the early eighties up to the present day and most of them were made by Electrospace Systems Inc. They will be discussed on this weblog later.

Contact

For questions, suggestions and other remarks about this weblog in general or any related issues, please use the following e-mail address: info (at) electrospaces.net

For sending an encrypted e-mail message, you can use the PGP Public Key under this ID: B4515E04

You can also communicate through Twitter: @electrospaces or XMPP/Jabber chat by using the address electrospaces (at) jabber.de

The title picture of this weblog shows the watch floor of the NSA's National Security Operations Center (NSOC) in 2006. The URL of this weblog recalls Electrospace Systems Inc., the company which made most of the top level communications equipment for the US Government. All information on this weblog is obtained from unclassified or publicly available sources.QW5kIGZpbmFsbHksIHRoaXMgaXMgd2hhdCBhIHRleHQgbG9va3MgbGlrZSwgd2hlbiBpdCdzIG9ubHkgZW5jb2RlZCB3aXRoIHRoZSBzdGFuZGFyZCBCYXNlNjQgc3lzdGVtLiBHdWVzcyBob3cgY29tcGxpY2F0ZWQgaXQgbXVzdCBiZSB3aGVuIGEgcmVhbCBzdHJvbmcgYWxnb3JpdGhtIHdhcyB1c2VkLg==